NullByte

https://download.vulnhub.com/nullbyte/NullByte.ova.zip

靶场IP:192.168.32.14

扫描对外端口服务

┌──(root㉿kali)-[~]
└─# nmap -sV -p1-65535 192.168.32.14
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-08 22:43 EDT
Nmap scan report for 192.168.32.14
Host is up (0.00011s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
111/tcp   open  rpcbind 2-4 (RPC #100000)
777/tcp   open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
44438/tcp open  status  1 (RPC #100024)
MAC Address: 08:00:27:6C:32:B0 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.38 seconds

访问80端口

image-20220909104418628

爆破web目录,没有发现有用的信息。

查看图片信息,找到一个路径:kzMb5nVYJw

访问:/kzMb5nVYJw

image-20220909110246554

查看页面源代码

image-20220909110502388

使用hydra爆破输入框

爆破出来的密码是:elite

image-20220909110652822

输入框存在SQL注入漏洞

base64解密

hashcat爆破哈希

image-20220909111959800

ssh登录

找到procwatchprocwatch是调用ps命令。

于是可以修改环境变量,让procwatch执行假的ps命令。

上一页NoName下一页OZ

最后更新于

这有帮助吗?